Odd CURL problem Odd CURL problem
Page 1 of 2 12 LastLast
Posts 1 to 10 of 18
  1. #1

    Double Godlike!

    xoggoth's Avatar
    Join Date
    Jul 2005
    Location
    xoggoth towers
    Posts
    12,967

    Default Odd CURL problem

    Ever since I switched to HTTPS I've had problems with using CURL to connect to Worldpay. Submit code here:

    if(isset($_POST['submitw']))
    {
    $ch = curl_init("https://secure-test.worldpay.com/wcc/purchase");
    curl_setopt ($ch, CURLOPT_HEADER, 0);
    curl_setopt ($ch, CURLOPT_POST, 1);
    curl_setopt ($ch, CURLOPT_POSTFIELDS, $urlstring);
    curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt ($ch, CURLOPT_REFERER, "https://www.mycrapsite.co.uk/checkout.php");
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 0);
    $data = curl_exec ($ch);
    curl_close ($ch);
    }

    I thought it was not connecting to Worldpay but it is. What is happening is that my page (has an absolute) still shows and is overlaying it! If I check page source I can see the Worldpay page followed by my page. Never heard of two web pages merged into 1 before!

    Any ideas? Ta.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

  2. #2

    Default

    The ape was reading his book.

    Normal service will be resumed once he's woken up.
    When the fun stops, STOP.

  3. #3

    Double Godlike!

    xoggoth's Avatar
    Join Date
    Jul 2005
    Location
    xoggoth towers
    Posts
    12,967

    Default

    Looking through all the online CURLY crap, it looks like it isn't intended to post to and open the new page as if you are posting from a form. It is posting and then getting the response, ie the content of the page I want to redirect to.

    But in that case I can't understand why it always worked fine before I upgraded to https.

    Was neater before when I could use a single form and self post for all payment methods and method selection, didn't lose values on changing method.
    Last edited by xoggoth; 4th April 2019 at 10:26.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

  4. #4

    More time posting than coding

    darrylmg's Avatar
    Join Date
    Sep 2012
    Location
    UK - South West
    Posts
    265

    Default

    Is the code you've pasted taken from inside your source Web page, or is it perl from your cgi-bin?


    Sent from my SM-T280 using Contractor UK Forum mobile app
    Don't believe it, until you see it!

  5. #5

    Double Godlike!

    xoggoth's Avatar
    Join Date
    Jul 2005
    Location
    xoggoth towers
    Posts
    12,967

    Default

    Ta for reply. Former. Think it came from Worldpay docs and was working fine for years.

    Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.

    PHP - Redirecting a form with POST variables

    Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...
    Last edited by xoggoth; 5th April 2019 at 10:50.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

  6. #6

    More time posting than coding


    Join Date
    Jun 2015
    Posts
    248

    Default

    Quote Originally Posted by xoggoth View Post
    Ta for reply. Former. Think it came from Worldpay docs and was working fine for years.

    Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.

    PHP - Redirecting a form with POST variables

    Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...
    Yeah, as stated by yourself curl just makes a web request and indeed you're actually looking to post the user, with some data, elsewhere. Thus you probably do want a form.

    However, your PHP examples are ancient and insecure. You shouldn't be using $_POST or $_GET in PHP code, and if you do for some reason, you need to be validating and escaping your input, which your example isn't doing.

    The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years.

    Backing up a second. Modern PHP should be using a framework and composer to install packages. With composer, you can download the worldpay library to take care of this crap without needing to get into messing with curl directly.

    GitHub - Worldpay/worldpay-lib-php: PHP Library for Worldpay REST API

    Wonderfully, worldpay lib examples are also grabbing from $_POST, so use a framework. Symfony, High Performance PHP Framework for Web Development. I suspect you're going to decide this is too much work, but you're gonna get hacked doing what you're doing.

  7. #7

    Default

    No answer came the stern reply from the ape.

    I wonder if he knows more about div and grad.
    When the fun stops, STOP.

  8. #8

    Double Godlike!

    xoggoth's Avatar
    Join Date
    Jul 2005
    Location
    xoggoth towers
    Posts
    12,967

    Default

    The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years
    Cheers. Only had a quick look so far but I can't see anything online suggesting a problem with post if htmlspecialchars is used. I also apply length limits to values taken on my form. Since the values are being passed to Worldpay, i would expect them to protect against any dodgy data.

    The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

  9. #9

    More time posting than coding


    Join Date
    Jun 2015
    Posts
    248

    Default

    Quote Originally Posted by xoggoth View Post
    Cheers. Only had a quick look so far but I can't see anything online suggesting a problem with post if htmlspecialchars is used. I also apply length limits to values taken on my form. Since the values are being passed to Worldpay, i would expect them to protect against any dodgy data.

    The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.
    I dunno, try posting the following from a user point of view.

    PHP Code:
    phpinfo(); die(); 
    If that works, it means an attacker could probably curl and exec a reverse shell. Basically you're handing out RCEs. This obviously all depends where you get the variables from, if they're generated by your script, and not actually user input, then the issue is less valid.

    You want to be using functions like preg_match within php to validate input, as opposed to (as well as) doing it in javascript. Apologies if this is stuff you already know, just a tad worried from your original post.

  10. #10

    My post count is Majestic

    NickFitz's Avatar
    Join Date
    Jun 2007
    Location
    Your local branch
    Posts
    44,617

    Default

    Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.

    Fun fact: when I was at Yahoo! (over a decade ago now) we used Symfony and PHP, but Y! had its own internal build of PHP which had a bunch of extra sanitation built into the construction of $_POST and the others. The raw versions, equivalent to normal PHP, were available under different names (something like $_POST_RAW and so on), but any code which accessed them had to have prior written approval, undergo a special code review by senior Paranoids (the name for Y!'s security specialists), and have the Paranoids' written signoff and be fully documented before it could be put into production.

    Also, one day I was having a problem with a Symfony setup, and it so happened the creator of Symfony had been hired by Y! and had just been flown to London for an internal conference we were having. So he came to my desk and sorted it all out for me there and then

    (Another speaker knocking around the department that day was Rasmus Lerdorf, the creator of PHP.)

    Anyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •